Azure skills update for verification of functionality and role assignments#1220
Open
KarishmaGhiya wants to merge 16 commits intomicrosoft:mainfrom
Open
Azure skills update for verification of functionality and role assignments#1220KarishmaGhiya wants to merge 16 commits intomicrosoft:mainfrom
KarishmaGhiya wants to merge 16 commits intomicrosoft:mainfrom
Conversation
Add new Phase 2 step 5 (Verify Role Assignments) between security hardening and functional verification. Includes reference doc with service-to-role mapping table, MCP tool usage, and common RBAC mistakes (e.g., generic Contributor lacking data-plane access). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the azure-prepare skill documentation/workflow to add earlier validation steps for subscription policy constraints, RBAC role assignments, and pre-deployment functional testing—intended to reduce downstream validation/deploy failures.
Changes:
- Added new reference guides for RBAC role verification and functional verification.
- Expanded requirements gathering to include subscription policy constraints via Azure Policy lookup.
- Updated the Phase 2 execution workflow in
azure-prepare/SKILL.mdto include the new steps.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| plugin/skills/azure-prepare/references/role-verification.md | New RBAC verification checklist + mappings and MCP guidance. |
| plugin/skills/azure-prepare/references/requirements.md | Adds subscription policy discovery step and updates requirements checklist ordering. |
| plugin/skills/azure-prepare/references/functional-verification.md | New guidance for validating app behavior (UI/backend) before validation/deploy. |
| plugin/skills/azure-prepare/SKILL.md | Inserts the new Phase 2 steps into the authoritative execution workflow. |
Add new Phase 2 step 5 (Verify Role Assignments) between security hardening and functional verification. Includes reference doc with service-to-role mapping table, MCP tool usage, and common RBAC mistakes (e.g., generic Contributor lacking data-plane access). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
plugin/skills/azure-prepare/references/functional-verification.md
Outdated
Show resolved
Hide resolved
…/GitHub-Copilot-for-Azure into azure-skils-update
Add step 4 (Live Role Verification) to query Azure for provisioned RBAC assignments and cross-check against expected roles. Complements the static role check in azure-prepare: prepare checks generated Bicep/Terraform, validate checks live Azure state. Includes reference doc with MCP tool usage, CLI commands, common issues table, and decision tree for pass/fail criteria. Bumps azure-validate version 1.0.0 -> 1.0.1. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace MCP live-query section with static code review guidance. Live role verification is the responsibility of azure-validate step 4 (live-role-verification.md). This removes the overlap between the two skills. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
JasonYeMSFT
reviewed
Mar 11, 2026
plugin/skills/azure-validate/references/live-role-verification.md
Outdated
Show resolved
Hide resolved
JasonYeMSFT
requested changes
Mar 11, 2026
- Remove static role check (step 5) from azure-prepare — prepare just generates - Add static role check as step 4 in azure-validate (pre-deployment) - Move live role check from azure-validate step 4 to azure-deploy step 8 (post-deployment) - Move role-verification.md from azure-prepare to azure-validate references - Move live-role-verification.md from azure-validate to azure-deploy references - Update all step number cross-references in functional-verification.md - Bump versions: prepare 1.0.6->1.0.7, validate 1.0.1->1.0.2, deploy 1.0.5->1.0.6 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
You can also share your feedback on Copilot code review. Take the survey.
Step 8 (Live Role Verification) references azure__role for RBAC assignment listing, but the tool was missing from the MCP Tools table. Agents could incorrectly assume only the three listed tools are available. Bump version 1.0.6 -> 1.0.7. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
You can also share your feedback on Copilot code review. Take the survey.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.
You can also share your feedback on Copilot code review. Take the survey.
JasonYeMSFT
previously approved these changes
Mar 12, 2026
Member
|
Please update the snapshots by running "npm run update:snapshots" and commit the updates. You can run |
JasonYeMSFT
approved these changes
Mar 13, 2026
wbreza
reviewed
Mar 13, 2026
Comment on lines
+18
to
+35
| ### Backend Verification | ||
|
|
||
| | Check | How | | ||
| |-------|-----| | ||
| | **App starts without errors** | Run the app and confirm no startup crashes or missing dependencies | | ||
| | **API endpoints respond** | Test core routes (e.g., `curl` health, list, create endpoints) | | ||
| | **Data operations work** | Verify CRUD operations against storage, database, or other services | | ||
| | **Authentication flows** | Confirm auth works (tokens, managed identity fallback, login/logout) | | ||
| | **Error handling** | Verify error responses are meaningful (not unhandled exceptions) | | ||
|
|
||
| ### UI Verification | ||
|
|
||
| | Check | How | | ||
| |-------|-----| | ||
| | **Page loads** | Open the app in a browser and confirm the UI renders | | ||
| | **Interactive elements work** | Test buttons, forms, file inputs, navigation links | | ||
| | **Data displays correctly** | Verify lists, images, and dynamic content render from the backend | | ||
| | **User workflows complete** | Walk through the core user journey end-to-end (e.g., upload → view → delete) | |
Collaborator
There was a problem hiding this comment.
How do you expect the agent to respond to these tasks? What type of results are you seeing in your testing?
Member
Author
There was a problem hiding this comment.
The agent ensures that the app actually works locally/ functionally before it proceeds to deployment. It runs these checks as part of the azure-prepare step. Previously, while I was trying to deploy an app the agent went straight to deploy a broken app only to find out that the app doesn't actually work/ loads/ UI is broken. When i asked the agent why it didn't check this functionality before deploying, it responded -
◐ The user is asking a really insightful question - whether the Azure skills (azure-prepare, azure-validate, azure-deploy) caused
me to follow a rigid workflow that bypassed my own reasoning and led to bugs. Let me think about this honestly.
Looking back at the session:
1. The azure-prepare skill has a specific workflow: analyze project → generate code → generate infra
2. The azure-validate skill checks: azd version, yaml schema, bicep compilation, npm install, azd package
3. The azure-deploy skill runs: azd up/deploy
The validation skill checked *structural* things (does it compile? does it package?) but NOT *functional* things (does the app
actually work? are routes correct? do the HTML forms behave properly?).
I leaned on the skill pipeline to move forward, and when azure-validate passed, I treated that as a green light for
deployment—but it was only validating the infrastructure layer, not whether the application logic actually worked. If I'd stepped
back and tested the app locally first, I would've caught the missing route and thought more carefully about the storage policies
instead of assuming everything was ready to go.
The real issue is that the skills optimized for deployment mechanics but left me blind to application quality—the validation gave
me false confidence that I was further along than I actually was.
● Yes, honestly — the skill pipeline created a false sense of readiness that bypassed my own judgment.
What happened mechanically
The Azure skills enforce a rigid workflow: azure-prepare → azure-validate → azure-deploy. I followed it faithfully:
- azure-prepare generated all the code + infra in one shot
- azure-validate checked: azd version ✅, yaml schema ✅, Bicep compiles ✅, npm install ✅, azd package ✅
- Status became "Validated" → so I proceeded to azure-deploy
The problem: "Validated" meant the toolchain works, not that the app works. Validation checked that Bicep compiles and npm
packages — it never ran the app, hit a route, or rendered a page. But psychologically, seeing "Validated ✅" made me treat it as
"ready to ship."
What I would have done without skills
If I were just building this myself without the skill pipeline pushing me toward deployment:
1. I'd have run node app.js immediately after writing the code
2. I'd have curled every route before even thinking about Azure
3. I'd have noticed the missing GET /upload route, the storage policy assumptions, and the credential-per-request pattern
4. I'd have iterated locally until it worked, then deployed
Instead, the skills had me generating infra and validating deployment readiness before I'd ever run the app once.
The core issue
The skills optimized for deployment mechanics, and I deferred my thinking to their workflow. I became a pipeline executor instead
of a developer who thinks "wait, does this actually work?" The skills don't have a "run the app and test it" step — and I didn't
add one myself because the pipeline felt complete.
The lesson
Skills are useful for deployment orchestration, but I should treat them as tools I control, not workflows I follow blindly. The
right approach is:
1. Generate code (with or without azure-prepare)
2. Stop. Run locally. Test everything. ← this step doesn't exist in any skill
3. Fix bugs iteratively
4. Then enter the skill pipeline for deployment
The skills should be the last mile, not the entire journey.
Comment on lines
+56
to
+75
| ### 3. Cross-Check Against Requirements | ||
|
|
||
| For each identity, verify the assigned roles match what the app needs: | ||
|
|
||
| | App Operation | Expected Role | Scope | | ||
| |---------------|---------------|-------| | ||
| | Read/write blobs | Storage Blob Data Contributor | Storage account | | ||
| | Generate user delegation SAS | Storage Blob Delegator | Storage account | | ||
| | Read secrets | Key Vault Secrets User | Key Vault | | ||
| | Send messages | Azure Service Bus Data Sender | Service Bus namespace | | ||
| | Read/write documents | Cosmos DB Built-in Data Contributor | Cosmos DB account | | ||
|
|
||
| ### 4. Check for Common Issues | ||
|
|
||
| | Issue | How to Detect | Fix | | ||
| |-------|---------------|-----| | ||
| | Role assigned at wrong scope | Role on resource group but needed on specific resource | Reassign at resource scope | | ||
| | Generic role instead of data role | `Contributor` assigned but no data-plane access | Replace with data-plane role (e.g., `Storage Blob Data Contributor`) | | ||
| | Missing role entirely | No assignment found for identity on target resource | Add role assignment to Bicep and redeploy | | ||
| | Stale role from previous deployment | Old principal ID with roles, new identity without | Clean up old assignments, add new ones | |
Collaborator
There was a problem hiding this comment.
Are you seeing this perform well in testing? The statements are very vague and users can have all sorts of applications.
Member
Author
There was a problem hiding this comment.
Yes, it does check if the roles have been assigned properly to the deployed resource. Which scenario are you concerned about?
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.